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Calculi with control operators have been studied to reason about control in programming languages 
and to interpret the computational content of classical proofs. To make these calculi into a real 
programming language, one should also include data types. 

As a step into that direction, this paper defines a simply typed call-by-value A-calculus with the 
control operators catch and throw, a data type of lists, and an operator for primitive recursion (a 
la Godel's T). We prove that our system satisfies subject reduction, progress, confluence for untyped 
terms, and strong normalization for well-typed terms. 

1 Introduction 

The extension of simply typed A-calculus with control operators and the observation that these operators 
can be typed using rules of classical logic is originally due to Griffin MGri901 and has lead to a lot 
of research by varying the control operators, the underlying calculus or the computation rules, or by 
studying concrete examples of the computational content of classical proofs. Little of this research has 
considered the problem of how to incorporate primitive data types in direct style. If one wants to use 
these calculi as a real functional programming language with control, this is a gap that needs filling. 

This paper contributes towards the development of a A-calculus with both data types and control 
operators that allows program extraction from classical proofs. In such a calculus one can write specifi- 
cations of programs, which can be proven using (a restricted form of) classical logic. Program extinction 
would then allow to extract a program from such a proof where the classical reasoning steps are extracted 
to control operators. This approach yields programs-with-control that are correct by construction because 
they are extracted from a proof of the specification. However, in order for these extracted programs to be 
useful in practice, data types in direct style should be supported. 

As a step into that direction, we introduce A "catch, a simply typed call-by- value A-calculus with 
the control operators catch and throw, a list and unit data type, and an operator for primitive recursion 
(a la Godel's T). We consider lists because those are among the most commonly used data types in 
functional programming. Expressively, lists make our system as least as strong as Godel's T because 
natural numbers can be encoded as lists over the unit type. We prove the conventional meta theoretical 
properties - subject reduction, progress, confluence, and strong normalization - so that it may be used as 
a sound basis for a calculus that allows program extraction from classical proofs. 

Our system is based on Herbelin's IQC MP -calculus with catch and throw that he uses to give a 
computational interpretation of Markov's principle BHerlOH . Most importantly, we adopt his restriction 
of the control operator catch to — ^-free types. This restriction enables the system to satisfy progress 
without losing other meta theoretical properties. The progress property states that if t is a well-typed 
closed term, then t is either a value or there is a term t' such that t reduces to t' . From a programmer's 
point of view this is an important property as together with confluence it ensures unique representation 
of data. For example, for the natural numbers, unique representation of data means that for each natural 
number there is (up to conversion) a unique closed term of the type of natural numbers. To show how 
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the system can be used in programming, we give a simple example in 12.111 where we define a function 
that multiplies the values of a list and throws an exception as soon as it encounters the value 0. 

Proving confluence or strong normalization for systems with control generally requires complex ex- 
tensions of standard proof methods, see for example HPar971 [Py98] IB HFO 1 1 lNak03l IGKM 12l IRS94I . For 
A "catch this is less the case. We give relatively short proofs of subject reduction, progress, confluence 
for untyped terms, and strong normalization for well-typed terms. 

1.1 Related work 

Incorporating data types into a A -calculus with control has not received much attention. We briefly 
summarize the research done in this direction and compare it with our work. 

Parigot [Par92] has described a variant of his X\l -calculus with second-order types. His system 
is very powerful, because all the well-known second-order representable data types are included in it. 
But as observed in [Par92, Par93 ], it does not ensure unique representation of data. This defect can be 
remedied by adding additional reduction rules, however, this results in a loss of confluence. Another 
approach is to use output operators to extract data, but this introduces an additional indirection. 

Rehof and S0rensen have described an extension of their ^A-calculus with basic constants and func- 
tions IRS 94j . Unfortunately their extension is quite limited. In particular, an operator for primitive 
recursion, which takes terms rather than basic constants as its arguments, cannot be defined. 

Barthe and Uustalu [BU02] have considered CPS -translations for inductive and coinductive types. In 
particular, they describe a system with a primitive for iteration over the natural numbers, and the control 
operator A. They prove preservation of typing and reduction under a CPS -translation, but do not consider 
other meta theoretical properties of this system. 

Crolard and Polonowski MCP111 have considered a version of Godel's T with products and call/cc. 
However, as their semantics is presented by CPS -translations instead of a direct specification via a cal- 
culus, their work is not directly related to ours. 

Geuvers, Krebbers and McKinna [GKM12] have defined an extension of Parigot's A/x -calculus with 
a data type of natural numbers and an operator for primitive recursion. They prove that their system 
satisfies subject reduction, unique representation of the naturals, confluence and strong normalization. 
Also, they define a CPS -translation into Godel's T to show that adding control operators does not extend 
the expressive power. Unfortunately, their system is call-by-name with call-by-value evaluation for data 
types, making it less suitable to model control in most programming languages. Due to their decision to 
use AjU, their proofs involve many complex extensions of standard proof techniques, and expose a lot of 
non- trivial interaction between control and data types. 

Several extensions of A-calculus with the control operators catch and throw have been studied in 
the literature. We discuss those that are most relevant to our work. Crolard [Cro99 ] has considered a call- 
by-name variant of such a calculus, for which he defines a correspondence with Parigot's X\i -calculus. 
He uses this correspondence to prove confluence, subject reduction and strong normalization, but does 
not consider data types in direct style. 

Herbelin [ HerlOl has defined IQC MP , a calculus with catch and throw to give a computational 
interpretation of Markov's principle. His calculus is call-by-value and supports product, sum, existential, 
and universally quantified types. An essential feature of his calculus is the restriction of catch to V — >- 
free types. This restriction enables him to prove progress, which is an important property for his main 
result, a proof of the disjunction and existence property. 

Since Herbelin's IQC MP -calculus has a convenient meta theory, we use it as the starting point for our 
work. But instead of considering product, sum, existential, and universally quantified types, we consider 
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a data type of lists in direct style. Whereas Herbelin does not consider confluence, and does not give a 
direct proof of strong normalization, we will give direct proofs of these properties for our system. 

1.2 Outline 

In Section |21 we define the typing rules, and the basic reduction rules, whose compatible closure defines 
computation in A::catch. We give two example programs showing interaction between data types and 
control. Section [2] moreover contains proofs of subject reduction and progress. Section [3] contains a 
direct proof of confluence for untyped terms based on an analysis of complete developments. Section [4] 
contains a direct proof of strong normalization using the reducibility method. We close with conclusions 
and indications for further work in Section [5] 

2 The system 

Definition 2.1. The types, terms and values o/A^catch are defined as 



where x, y, and z, range over variables, and a, j8 and y range over continuation variables. 

The construct Xx.r binds x in r, and catch a.t binds a in t. The precedence of X and catch is 
lower than application, so instead of catch a . (tr) we write catch a . tr. We let FV(t) denote the set of 
free variables of t, and FCV(?) the set of free continuation variables of t. As usual, we use Barendregt's 
variable convention [Bar84]. That is, given a term, we may assume that bound variables are distinct from 
free variables and that all bound variables are distinct. The operation of capture avoiding substitution 
t[x := r] of r for x in t is defined in the usual way. 

The constructs nil and (::) are the constructors of the list data type. We treat these constructors, and 
the operator lrec for primitive recursion over lists, as unary constants so we can use them in partially 
applied position. Also, this treatment results in a more uniform definition of the reduction rules. We 
often use Haskell-style notation. In particular, we write t :: r to denote (::) t r, and X-.t to denote Xx.t 
with x FY(t). Furthermore, we write [fi, .. . ,t n ] to denote t\ :: ... ::?„:: nil. 

Following Herbelin MHerlOl we restrict catch to — »-free types. Without this restriction, progress 
(Theorem 12.151 ) would fail. Let us consider the term catch a. Xx. throw a (Xy.y). Without this re- 
striction, this term would have had type T — >• T, whereas it would not reduce to a value. In fact, even 
(catch a. Ax.throw a (Xy.y)) () : T would not reduce. The reduction rules for catch and throw are 
very similar to [Her 10], but quite different from those by Crolard [Cro99 [. In particular, Crolard includes 
reduction rules to move the catch whereas Herbelin's system and ours merely allow a throw to move 
towards the corresponding catch. This is due to the restriction to — s-free types. 

Definition 2.2. We let (f> and y range over —>-free types. 

Definition 2.3. Let T be a map from variables to types, and let A be a map from continuation variables 
to —t-free types. The derivation rules for the typing judgment T; A h t : p are as shown below. 



(7,r,p ::= T | [t] I <r ->• t 
t,r,s ::= x \ () | nil | (::) | lrec 
v,w,v r ,v s ::=x \ () | nil | (::) | (::) v 



Xx.r | ts | catch a.t \ throw a t 

(::) v w | lrec | lrec v r \ lrec v r v s \ Xx.r 



x-.per 



r;Ahx:p 



r;Ah():T 



r;Ahnil : [a] 



r;Ah (::) : a -> [a] -> [a] 
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T; A h lrec : p — s> (a ->■ [a] — s- p — s> p) ->■ [a] — >• p 
r,x:a;Ah?:T r;A h z 1 : a -s> T r;Ahs:a 



r;A h Xx.t : a ->■ T F;A\-ts:x 

r;A, a : i//h< : y F;A\- t:\j/ a:yeA 



r;A h catch a.? : \\f T\A h throw a t : X 

Lemma 2.4. Given a value v with ; A h v : p, f/ieTi: 
7. Ifp = T, then v is of the shape (). 

2. T/'p = [a], zTzezi v o/z'/ze s/zape [wi , . . . ,w n ]. 

3. If p = a — > T, z7ze« v jj of the shape (::), (")w, lrec, lrecv,-, lrecv r v v or Xx.r. 

Proof. This result is proven by induction on the structure of v. The case v = x is impossible because v is 
closed for free variables. The other cases are easy. □ 

Definition 2.5. The contexts of A "catch are defined as: 

E ::= Dt \ vD \ throw a □ 

Given a context E and a term s, the substitution of s for the hole in E, notation E[s], is defined in the 
usual way. 

Definition 2.6. Reduction t—tt 1 is defined as the compatible closure of: 

{Xx.t) v -» t\x := v] (pV) 

£ [throw a t] — > throw a t (t) 

catch a .throw a t — > catch a J (cl) 

catch a. throw j8 v ->■ throw j8 v if a ^ {/3}UFCV(v) (c2) 

catcha.v— ifa^FCV(v) (c3) 

lrec v r v s nil — )• v r (nil) 

lrec v r v s {yh v t ) — > v s Vh v t (lrec v r v s v t ) (::) 

As usual, — » denotes the reflexive/transitive closure and = denotes the reflexive/symmetric/transitive 
closure. 

Notice that because we treat partially applied (::) and lrec constructs as values, we get reductions 
like throw a r ::t = (::) (throw a r) t — > (throw a r) t — > throw a r for free without the need for 
additional contexts for (::) and lrec. 

Fact 2.7. IfT; A h v : y, then FCV(v) = 

Proof. By induction on the structure of the value v. Since y is — )-free, we only have to consider the 
cases v = x, v = (), v = nil and v = v/ :: v r , for which the result trivially holds. □ 

The reduction rules (c2) and (c3) require that a £ FCV(v). This side condition can be omitted for 
well-typed terms by the previous fact. However, since we consider the problem of confluence for untyped 
terms (Section [3]), we do need this additional restriction. 
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Definition 2.8. We define a type for the natural numbers N := [T], with the following operations on it. 

0:=nil 
S :=(::)() 
nrec := Xx r x s . lrec x r (A ~.x s ) 

We let n := S"0 denote the representation of a natural number. 
Fact 2.9. The operations on N satisfy the expected conversions. 

nrec v r v s — » v r 
nrec v r v s (Sv) = v s v (nrec v r v s v) 

Colson and Fredholm MCF98B have shown that in Godel's T with call-by-value reduction, it takes 
at least a number of steps that is linear with respect to the input for a non-trivial algorithm to reduce 
to a value. In particular, it is impossible to compute the predecessor in constant time. Intuitively it is 
easy to see why, consider the reduction nrec v r v s (Sv) — > v s v (nrec v r v s v). Due to the restriction of 
/3-reduction to values, the recursive call, nrec v r v s v has to be reduced to a value before the whole term 
is able to reduce to a value. In A "catch we can use the control mechanism to do better. 

Example 2.10. We define the predecessor function pred : N — >• N as follows. 

pred := Xn . catch a .nrec (Ax. throw a x)n 

Computing the predecessor is possible in a constant number of steps. 

pred n+ \ -» catch a .nrec (Ax. throw a x) (Sn) 

— » catch a . (Ax. throw a x)n (lrec (A _x. throw a x) n) 
-» catch a . (throw a n) (lrec (A _x . throw a x) n) 
— » catch a . throw an^n 

Example 2.11. We define a XwczXch-program F : [N] — > N that computes the product of the elements 
of a list. The interest of this program is that it uses the control mechanism to stop multiplying once the 
value is encountered. 

F :=Xl. catch a . lrec IH I 

H := Ax_.nrec (throw a 0) (Xy_h.Sy*h) x 

Here, addition (+) and multiplication (*) are defined as follows. 

(+) := Arcm.nrec m (A_v.Sy) n 
(*) := Anm.nrec (A_y.m+y) n 

We show a computation ofF [4,0,9]. 

^[4,0,9] -» catch a. lrec 1 H [4,0,9] 

-» catch a. nrec (throw a 0) (Xy.h.Sy *h) 4 (lrec \H [0,9]) 
-» catcha.(A/j.4*/j) (lrec IH [0,9]) 
^> catch a. (Xh.4*h) (throw a 0) 
^> catch a . throw a -» 
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Lemma 2.12. IfF; A h r : a a«<i r,* : a; A h t : p, then T;A h f [jc := r] : p. 
Theorem 2.13 (Subject reduction). IfT; Ah t : p a«<i f -> r', then T; A h t' : p. 

Proof. We have to show that each reduction rule preserves typing. We use Lemma |2.12| for (j3 v ). □ 

Lemma 2.14. Given a normal form t with ; A h t : p, ?/zen either t is a value, ort = throw /3 v for some 
value v and continuation variable p\ 

Proof. This result is proven by induction on the derivation of ; A h t : p . 

1. Let ; A h x : p with jc : p € 0. This is impossible because x : p ^ 0. 

2. In the case of (), nil, (::), lrec and Xx.r the result is immediate. 

3. Let ; A h ts : z with ;A h t : a — > T and ;A h s : G. By the induction hypothesis we know that the 
terms r and s are either a value or a throw. Since ts is in normal form, it is impossible that either 
of them is a throw. Therefore, we may assume that both are values. Now, since t has type a — Y X, 
we can use Lemma |2~41 to analyze the possible shapes of t. 

(a) Let t = lrecv r v s . By the typing rules we obtain that s has type [p] for some p. So, by 
Lemma I2T41 we have that s is a list. However, ts is in normal form, so this is impossible. 

(b) Let t = Xx.r. This case is impossible because s is a value and ts is in normal form. 

(c) In all other cases, the term ts is a value. 

4. Let ;A h catch a.t : y with ;A, CC : \\f h t : By the induction hypothesis we know that t is a 
value or a throw. If t is a value, Fact 12.71 gives us that a ^ FCV(f). This is impossible since 
catch a . t is in normal form. Similarly, it is also impossible that t is a throw. 

5. Let ; A h throw at :o with ; A h t : y and a : y € A. By the induction hypothesis we know that t is 
a value or a throw. If t is a value, we are done. Furthermore, t cannot be a throw since throw a t 
is in normal form. □ 

Theorem 2.15 (Progress). If; h t : p, then t is either a value, or there is a term t' with t — > t'. 

Proof. This result follows immediately from Lemma l2. 141 □ 

3 Confluence 

To prove confluence for untyped terms of A "catch, we use the notion of parallel reduction, as intro- 
duced by Tait and Martin-Lof [Bar84 ]. A parallel reduction relation =>■ allows to contract a number of 
redexes in a term simultaneously so as to make it being preserved under substitution. If one proves that 
the parallel reduction =>■ satisfies: 

• The diamond property: if t\ ti and t\ ?3, then there exists a t\ such that tj =>■ to, and =3- ta,. 

• h=>h implies t\ -» tq, and t\ -» t% implies t\ =^>* t%. 

then one obtains confluence of — >. 

Following Takahashi [Tak95 ], we further streamline the proof by defining the complete development 
of a term t, notation t°, which is obtained by contracting all redexes in t. Now to prove the diamond 
property of it suffices to prove that t\ =^> ti implies tj =>■ t\ . 

For Parigot's Xjl -calculus, it is well known that the naive parallel reduction is not preserved under 
substitution [BHF01]. Instead, a complex parallel reduction that moves subterms located very deeply in 
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a term towards the outside is needed [ B HFO 1 [ |Nak03 1 IGKM 1 21 . For A:: catch we experience another 
issue. Consider the following rule. 

If t => t', then E [throw at]=> throw a t' 

If we take throw G!i (throw (X2 (. . .throw a n () . . .)) (with n > 5), then we could perform a reduction 
that contracts all even numbered throws, and also a reduction that contracts all odd numbered throws. 
Since these two reducts do not converge in a single parallel reduction step, such a parallel reduction 
would not be confluent. To repair this issue we use a similar fix as in IB HFOU lNak03[ IGKM12I : we 
allow a throw to jump over a compound context. 

Definition 3.1. Compound contexts are defined as: 

E;:=U\Et\vE\ throw a E 

Given a compound context E and a term s, the substitution of s for the hole in E, notation E[s], is defined 
in the usual way. 

Definition 3.2. Parallel reduction t => t' is inductively defined as: 



1. 


x => 


x, () => (), nil =>■ nil, (::) => (::), and nrec => nrec. 




2. 


Ift = 


4> t' and r r', then tr => t'r' . 




3. 


Ift = 


3> t', then Xx.t Xx.t'. 




4. 


Ift- 


4> t', then catch a.t => catch a 




5. 


Ift = 


4> t' and v => r, then (Xx.t) v =>• t'[x := r]. 




6. 


Ift- 


t' , then E [throw a ?] => throw a t'. 




7. 


Ift = 


4> t', then catch a .throw at ^ catch a .t'. 




8. 


Ifv- 


=>■ t and a £ {j3} UFCV(v), then catch a .throw j8 v =>- 


throw /3 t. 


9. 


Ifv- 


^- t and a FV(v), then catch a . v => 1. 




10. 


IfVr 


=> r, then lrec v r v s nil r. 




11. 


IfVr 


=>• r, v s =^ s, Vh ^ h and v t t, then lrec v r v s (vh v t ) 


^ sht (lrec rst 



Lemma 3.3. Parallel reduction satisfies the following properties. 

1. It is reflexive, i.e. t => t. 

2. The term v[x:=w] is a value. 

3. Ifv=?t, then t is a value. 

4. Ift t', then FV(t') C FV(t) and FCV(?') C FCV(f ). 

5. Ift t' and v => r, then t[x := v] =>■ t'[x := r\. 

Lemma 3.4. Parallel reduction enjoys the intended behavior. That is: 

1. Ift -> f', ?/ze« f => 

2. Ift=> t', then t -» t'. 

Proof. The first property is proven by induction on the derivation of t — > t' using that parallel reduction is 
reflexive and satisfies the substitution property (Lemma |33T ). The second property is proven by induction 
on the derivation of t => t' using an obvious substitution lemma for □ 
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Definition 3.5. The complete development t° is defined as: 



{{Xx.t) v y 

(E [throw a t]Y 
(catch a . throw a ?)* 
(catch a . throw j3 v) c 
(catch a .v) c 
(lrec v r v s nil) c 
(lrec v r v s (v ft :: v t )) c 



■t°[x:=v°} 

throw a f if rethrow ys 
catch a .f 

: throw j8v° if a i {/3}UFCV(v) 

V if a i FCV(v) 

o o o /-, o o o\ 

v s v h v t (lrec v r v s v t ) 



For variables, (), nil, (::) and nrec, the complete development is defined as the identity, and it propa- 
gates through the other cases that we have omitted. 

We lift the parallel reduction to compound contexts with the intended behavior that if E => F and 
q => q', then E [throw a q] => F [throw a q']. 

Definition 3.6. Parallel reduction E =?F on compound contexts is inductively defined as: 
/.□=>□ 

2. throw <*□=>□ 

3. IfE F and t => t', then Et Ft'. 

4. IfE F and v =W, then vE tF. 

5. IfE => F, then throw a E =>- throw a F. 

6. IfE => F, then throw j8 (throw a E) => throw a F. 

Remark that if we have that E [throw a g] r, then r is not necessarily of the shape F [throw a q'] 
with E =4> F and q => q' because q could be a throw. 

Lemma 3.7. If £ [throw a q\] =4> r and q\ ^ throw y s, then there exists a q2 and F such that r 
/■ throw a q 2 ] with E =?F and q\ =>■ q 2 . 

Lemma 3.8. Ifti =4> t 2 , then t 2 => tf. 

Proof. By induction on the derivation of ti 1 2 . We consider some interesting cases. 
1. Let ?i r\ =4> t 2 r 2 with t\ t 2 and n =4> r 2 . We distinguish the following cases: 

(a) Let t\ = Xx.si and r\ a value. By distinguishing reductions we have t 2 = Xx.s 2 with s\ s 2 . 
Now, ?2 =>■ t\ and S2 => by the induction hypothesis. Furthermore, we have that r 2 is a 
value by Lemma 1331 Therefore, t 2 r 2 = (Xx.s 2 ) r 2 => s^[x := r\] = (t\ r\) by Lemma [331 

(b) Let t\ = nrec v r v s and r\ = nil. By distinguishing reductions we have t 2 = nrec r s and 
r2 = nil with v r r and v s =>■ s. Now, r by the induction hypothesis. Therefore, 
t 2 r 2 = nrec r 5 nil = (nrec v r v s nil)° = (?i 

(c) Let ?i = nrec v r v s and r! = v/, :: v f . This case is similar to the previous one. 

(d) Let t\ = £ [throw /3 q\] with q\ ^ throw y s. By Lemma 13771 we have t 2 = F [throw a q 2 ] 
with E F and q\ => q 2 . Now we have q 2 => q\ by the induction hypothesis. Therefore, 
t 2 r 2 =F [throw a q 2 ] r\ throw a q\ = {t\ r\ )°. 

(e) Let r\ = E [throw j8 q\] with q\ throw ys and t\ a value. This proof of this case is similar 
to the previous one. 
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(f) For the remaining cases we have t 2 => t\ and r 2 => r\ by the induction hypothesis. Therefore, 
t 2 r 2 ^t\r\ = {hny. 

2. Let catch a . t\ catch a . t 2 with t\ =>■ ?2- We distinguish the following cases: 

(a) Let t\ = throw a qi with q\ ^ throw 7 s. By distinguishing reductions we obtain that 
t 2 = throw a q 2 with ^! q 2 . Now we have g 2 =^ <Zi by the induction hypothesis. There- 
fore, catch a.t 2 = catch a .throw a q 2 ^ catch a.q\ = (catch a.t\)°. 

(b) Let t\ = throw a (E [throw /3 q\\) with q\ ^ throw y s. We have ?2 = F [throw /3 #2] with 
throw a E F and gi =>■ 172 by Lemma 1331 Also, 172 q\ by the induction hypothesis. 
Therefore, catch a J\ = catch a .F [throw /3 q 2 ] catch a .q\ = (catch a.t\) . 

(c) Let t\ = throw j8 vi with a ^ {j8} UFV(vi). By distinguishing reductions we obtain that 
t 2 = throw j8 v 2 with vi => v 2 . Now, v 2 =4> v\ by the induction hypothesis, and a FCV(v2) 
by Lemma 1331 So, catch a.t 2 = catch a .throw /3 v 2 => throw j3 vf = (catch a.?i)°. 

(d) Let ?i be a value with a ^ FCV(/i). We have t 2 =>• f* by the induction hypothesis. Also, t 2 is 
a value and a £ FCV(t 2 ) by Lemma [331 Therefore, catch a.t 2 t\ = (catch Of.fi)*. 

(e) For the remaining cases we have t 2 => ^ by the induction hypothesis. As a result we have 
catch a. t 2 =>• catch a. f[ = (catch a J1) . 

3. Let Ffthrow a t\] throw a t 2 with t\ => 1 2 . We distinguish the following cases: 

(a) Let t\ = E [throw qy] with q\ ^ throw y s. This case is similar tofldl 

(b) For the remaining cases we have t 2 t\ by the induction hypothesis. As a result we have 
throw a ? 2 => throw a t\ = (F[throw a h])*. 

4. Let catch a . throw a t\ => catch a . t 2 with ?i =4> t 2 . We have t 2 t\ by the induction hypothesis. 
As a result we have catch a. t 2 => catch a.t\ = (catch a .throw a t\f. 

5. Let catch a. throw j8 vi => throw j8 t 2 with vi =>• t 2 , a £ {j8} UFV(vi). We have t 2 => v\ by the 
induction hypothesis. Furthermore, t 2 is a value by Lemma |331 As a result we have throw j8 t 2 
throw j8 = (catch a .throw j8 vi)°. 

6. Let catch a.vy =>t 2 with vi t 2 and a ^ FV(vi). We have t 2 => v\ by the induction hypothesis 
and t 2 is a value by Lemma [331 Therefore, t 2 =>■ v j = (catch a . vi)°. □ 

Corollary 3.9. 7/7i ?2 and h h, then there exists a ?4 such that t 2 =>■ £4 a«<i £3 £4. 

Froo/ Take t 4 := tf. Now we have t 2 => f£ and t 3 => t\ by Lemma[33J □ 

Theorem 3.10 (Confluence). Ifty -» t 2 and t\ -» £3, then there exists a t$ such that t 2 -» £4 a«J ?3 ^> ^4. 

Proof. By Corollary 13.91 and a simple diagram chase (as in [Bar84]), we obtain confluence of =>. Now, 
confluence of — > is immediate by Lemma [341 □ 

4 Strong normalization 

In this section we prove that reduction in A::catch is strongly normalizing. We use the reducibility 
method, which is originally due to Tait MTai671 . By this method, instead of proving that a term t of type 
p is strongly normalizing, one proves t € [p], where [[a — > tJ := {t \ € [[a]] . ts € [[t]]}. 

Although Tait's method does work for the call-by-name X\l -calculus [Par97], David and Nour [DN05 ] 
have shown that it does not extend to its symmetric variant. They proved that the property, if r € SN and 
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t[x := r] G [[a]], then (kx.t) r G [[a]], no longer holds due to the reduction t {iia.c) -» /ia.c[a := a(fd)]. 
However, the similar reduction t (throw a r) — > throw a r in our calculus consumes t without perform- 
ing any (structural) substitution in r. So, for A "catch this problem does not exist. 

It may be possible to prove strong normalization by use of a strictly reduction preserving translation 
into another system that is already known to be strongly normalizing. For example, one may try to 
use the obvious translation into the second-order call-by- value A/i -calculus where the data type of lists 
can be defined as [t] := VX . X — > (t — > X — > X) — > X. However, this translation does not preserve the 
reduction (::). We are unaware of other systems that are both known to be strongly normalizing, and 
allow a straightforward strictly reduction preserving translation. 

Definition 4.1. The set of strongly normalizing terms, SN, contains the terms t for which the length of 
each reduction sequence starting at t is bounded. We use the notation v(?) to denote this bound. 

Due to the addition of lists to A "catch, the interpretation becomes a bit more involved than for the 
case of A— K Intuitively, we want our interpretation to ensure that each element of the list t G [[[d]]] is 
contained in [[a]] . 

Definition 4.2. Given a set of terms S, the set of terms Jzfs is inductively defined by the following rule. 

\/vw.ift-»v::w then v G S and w G ^fs 

te&s 

Notice that the above definition ensures that nil G Jz?s because nil cannot reduce to v :: w. 
Definition 4.3. The interpretation [[p]] of a type p is defined as: 

[[[a]]] :=SNnJSf M 

I(T->T]:={f|Vj€M.ttE[T]} 

Lemma 1431 and l4~8l establish an important property: [[y/]] = SN for — >-free types y/. Since the catch 
operator is restricted to — s-free types, this means that catch a .r G SN implies catch a .r G [[y/|. This 
property is the key result to prove that r G [[i/a]] implies catch a .r G [tyf] (Lemma I4.15I ). 

The property r G [[a]] implies catch a . r G [[a]] does not hold for all types a. For example, consider 
t = (catch a. throw a (o)(0 with (0 = Xx.xx. By Corollary 14.101 we have throw a (0 G [[T — > T]] and 
using the above result we would have had t G SN. This is impossible because t -» coco — > coco —)■... 

Definition 4.4. We define the size oft, notation l(t), as the number of symbols in t. For t G SN, we define 
t n (t) as the size of the normal form oft. 

Lemma 4.5. Ifyis -^-free, then SN C 

Proof. We have to show that for each t G SN, we have t G [[y/]]. We proceed by well-founded induction 
on £ n (t) and a case distinction on the structure of The only interesting case is (list), where we have to 
show that t G JZm- So, let t -» v :: w for values v and w. We have v G SN C and w G [[[y/|J by the 
induction hypothesis as £ n (v) < £ n (t) and £ n (w) < £„(t). Hence, t G ^f|^] as required. □ 

Lemma 4.6. Ift G [[a]] and t -» t', then t' G [[a]]. 

Proof. We prove this result by structural induction on a. 

(unit) Let t G [[T]] = SN and t -» t' . By definition of SN we have t' G SN. 
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(list) Let t G [[[a]]] = SN n ^\ a \ an d t -» r'. As we have ?' G SN by definition of SN, it remains to prove 
that t' G &\a\- So, let t' -» v :: w for values v and w. Now we have ? -» f' -» v :: w. Therefore, 
v G [[a]] and w G JSfjo-j by the assumption that t G %\a\ ■ 

(— s>) Let f G [ff-> x\ and ? -» f'. Since we have to prove that t' G [[a — > t]], let r G [[a]]. By assumption 
we have tr G JtJ. Furthermore we have tr -» f'r because ? -» Therefore, ?V G [[t]] by the 
induction hypothesis. □ 

Definition 4.7. We let 1 and u denote a sequence of terms. The set S^ contains all sequences of strongly 
normalizing terms. 

Lemma 4.8. We have the following results: 

1. [[a]] C SN. 

2. //w G sU then xu G [[a]]. 

Proof. The results are proven simultaneously by structural induction on a. 

(unit) Both results are immediate. 

(list) Property (1). [[[a]]] = SNnjS?J ff j C SN. 

Property (2). Let u G SN. We have to show that xu G [[[cr]] = SN n ■ Since it is immediate that 
xu G SN, it remains to show that xu G ^\o\ ■ However, as reductions xu -» v :: w are impossible, we 
are done. 

(— >) Property (1). Let t G [[a — > t]]. We have x G [[a]] by the induction hypothesis of property (2), and 
therefore tx G [[t]]. By the induction hypothesis of property (1) we have [t] C SN, so t G SN. 
Property (2). Let u G SN. We have to show that xu G [[o — > tJ, so let r G [cr]. By the induction 
hypothesis of property (1) we have r G SN, and therefore xur G [t] by the induction hypothesis of 
property (2). Therefore, xu G [[a — >■ tJ as required. □ 

Lemma 4.9. If r ESN and u G SN, (throw a r)u e SN. 

Proof. We prove this result by induction on the length of 3. 

1. We prove that we have throw a r G SN by induction on v(r). We proceed by distinguishing the 
reductions throw a r — > q and show that we have q G SN for each such a 

(a) Let throw a (throw j3 t) — > throw j8 t. The result holds by assumption. 

(b) Let throw a r — > throw a r 1 with r — > r' . The result follows from the induction hypothesis. 

2. We prove that we have (throw a r) t u G SN by induction on v(t) + v( (throw a r)u). It is easy to 
verify that q G SN for all reductions (throw a r)tu — > g. □ 

Corollary 4.10. 7/r G SN and 3 G SN, then (throw otr)u£ [cr]]. 

Proof. We prove this result by structural induction on a. 
(unit) This case is a direct consequence of Lemma [491 

(list) We have to show that (throw a r)u G [[[a]]] = SNri-2frr CT j. As we have (throw a r)u G SN by 
Lemma |4~9l it remains to show that (throw a r)u G So, let (throw a r) u -» v :: w for 

values v and w. By distinguishing reductions we see that this reduction is impossible. 

(— >) This case follows directly from the induction hypothesis and Lemma l4~8l □ 
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It would be convenient if we could prove t G [[a]] by showing that for all reductions t — > t' we have 
t' G [[a]]. Unfortunately, this result does not hold in general. For example, whereas the term CO :: nil is 
in normal form, we do not have CO :: nil G [[[() — ¥ ()]]]. Similarly to Girard et al. [GTL89], we restrict 
ourselves to the terms t that are neutral. 

Definition 4.11. A term is neutral if it is not of the shape Xx.r, nrec v r v s , or v :: w. 
Lemma 4.12. Ift is neutral, and for all terms t' with t —■ t' we have t' G [[a]], then t G [[a]]. 

Proof. The results is proven by structural induction on a. 
(unit) The result is immediate. 

(list) Let t be a neutral term such that for all terms t' with t — » f' we have t' G [[[<?]]]. We have to prove 
that t G [[[a]]} = SNnJzf^j. By Lemma l4~8l we have [[[a]]] C SN, and therefore t G SN as t' G SN for 
each ?' with £ — » ?' by assumption. It remains to show that t G -^m, so let f -» v :: w for values v 
and w. Since f is neutral, there should be a term t' such that ? — > -» v :: w. For such a term ?' we 
have ?' G [[[cj]]] by assumption, hence v G [[a]] and w G -2m. Therefore, ? G as required. 

(— Let ? be a neutral term such that for all terms t' with t — >t' we have G [[a — > tJ. We have to prove 
that ? G [[cj — 7- t]], so let r G [[a]]. By the induction hypothesis it is sufficient to show that if tr — > q 
then q G [t]. By Lemma l4~8l we have r G SN, so we proceed by induction on v(r). We distinguish 
the following reductions. 

(a) Let tr — > t'r with t — > t'. Now we have t' G [[a — > tJ by assumption. Hence, t'r G |t| by 
definition, so we are done. 

(b) Let £r — > fr' with r — >• r'. The result follows from the induction hypothesis. 

(c) Let (throw a s) r — > throw a s. By Lemma 14.81 we have [[a — > tJ C SN, and therefore 
throw a s G SN as ?' G SN for each t' with throw a s — > t' by assumption. As a consequence 
we have throw a s G [t] by Corollary 14.101 

(d) Let v (throw a s) — > throw a 5. By assumption we have throw «i£ [[a]], so throw a s G SN 
by Lemma Fk8l Hence, throw a s G [t] by Corollary 14.101 

No other reductions are possible because t is neutral (so, in particular it cannot be of the shape 
Xx.s or nrec v r v s ). □ 

Lemma 4.13. Ifr G SN and t[x := r] G |(r], ?/ze« (Ajc.7 ) r G [[d]]. 

Proo/ We prove this result by well-founded induction on v(t) + v(r). By Lemma |4~T21 it is sufficient to 
show that for each q with (Xx.t) r->^we have q G [[a]]. We consider some interesting reductions. 

1. Let (Xx.t)v — » f[ac := v]. The result holds by assumption. 

2. Let {Xx.t) (throw j8 r) — > throw j8 r. In this case we have throw j8 r G [[o]] by Corollary 14. 101 □ 
Lemma 4.14. Ift G [[a]] and s G [[[cr]]], f/ierc t :: s £ [[[a]]]. 

Proof. First we have to prove that ? :: s G SN. That means, for each q with «::s->ijwe have g G SN. We 
prove this result by induction on v(f) + v(s). We consider the following reductions. 

1. Let throw ar::n (throw a r) s. Since we have throw a r G [[a]] and s G [[[cr]]] by assumption, 
we obtain that r,s G SN by Lemma |4T8l Therefore, (throw a r) s G SN by Lemma I4T91 

2. Let v :: throw a r — > throw a r. Since we have throw a r G [[[cr]]] by assumption, we obtain that 
throw a r G SN by Lemma l4~8l 
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Secondly, we have to prove that C:sG &\a\- S°> let ? :: S ^> v :: w for values v and w. By distinguishing 
reductions we obtain that t -» v and s -» w. Therefore, we have v G [[a]] and w G -Sfja]] by Lemma 1431 
Hence, t::s£ as required. □ 

Lemma 4.15. Ifyis -^-free and r G f/iera catch a.r £ [[i/a]]. 

Proof. By Lemma[43Jit is sufficient to prove that catch a . r G SN. We prove this result by well-founded 
induction on the lexicographic order on v(r) and £(r). Let g with catch a .r — > q. It remains to prove 
prove that q G SN. We consider the following interesting reductions. 

1. Let catch a . throw a r — > catch a . r. The result follows from the induction hypothesis as we 
have v(r) < v(throw a r) and t(r) < ^(throw j8 r). 

2. Let catch a . throw /3 v — > throw v. The result holds by Lemma l4~8l 

3. Let catch a . v — > v. The result holds by Lemma 1481 □ 

Lemma 4.16. Ifr G Up], se[ff-> [a] -> [a]]], a«<i t G [[[a]]], f/ien lrec rste |p]. 

Proof. We prove this result by well-founded induction on v(r) + v(j) + v(f) By Lemma 14.121 

it is sufficient to show that for each q with lrec r s t ^ q we have q G [[p]]. We consider the following 
interesting reductions. 

1. Let lrec v r v s nil — > v r . The result holds by assumption. 

2. Let lrec v r v s (v/, :: v,) —} v s Vh v t (lrec v r v s v t ). By the definition of v/, :: v t G [[[cr]]] we obtain 
that v/, G [[a]] and v t G [[[cr]]]. Therefore, we have lrec v r v s v t G [[p]] by the induction hypothesis 
as £ n (vt) < £n(vh --Vt). Now, the result follows from the assumption. 

3. Let lrec (throw a r) s t — > (throw a r) s t. By assumption and Lemma l4~8l we have r,^,? G SN, 
hence (throw a r) s t G [[p]] by Corollary 14.101 □ 

Corollary 4.17. If x\ : pi, . . . ,x n : p„; A h f : t a«<i r, G [[p,]] /or a// 1 < i < n, 

:=r u ...,x n :=r n ] G [[t]]. 

Proof. We prove this result by induction on the derivation of T; A h ? : T. All cases follow immediately 
from the results proven in this section. □ 

Theorem 4.18 (Strong normalization). Ifr; A \~t:p, then t G SN. 

Proof. We have G [[p,]] for each x, : p,- G T by Lemma l4~8l Therefore, t G [[p]] by Corollary 14.171 and 
hence t G SN by Lemma|4~8] □ 



5 Conclusions 

In this paper we have defined A::catch and proven that it satisfies the usual meta theoretical properties: 
subject reduction, progress, confluence, and strong normalization. These proofs require minor extensions 
of well-known proof methods. This section concludes with some remarks on possible extensions. 

An obvious extension is to add more simple data types, like products, sums, finitely branching trees, 
etc. We expect our proofs to extend easily to these data types. However, adding more complex data 
types presents some challenges. For example, consider the type tree of unlabeled trees with infinitary 
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branching nodes, with the constructors leaf : tree and node : (N — > tree) — > tree. A naive extension 
of the — >-free restriction would not forbid catch a . node (Ax . throw a leaf) which does not reduce to 
a value. It would be interesting to modify the — s-free restriction to avoid this. 

Instead of using a Godel's T style recursor, it would be interesting to consider a system with a pattern 
match and fixpoint construct. First of all, this approach is more convenient as Godel's T style recursors 
only allows recursion on direct subterms. Secondly, this approach would avoid the need for tricks as in 
Example 12. lOl to improve efficiency. 

Another useful extension is to add second-order types a la System F. Doing this in a naive way results 
in either a loss of subject reduction (if we define type variables to be — >-free) or makes using catch and 
throw for the second-order fragment impossible (if we define type variables not to be — >-free). 

Instead of using the statically bound control operators catch and throw, it would be interesting to 
consider their dynamically bound variants. In a dynamically bound catch and throw mechanism, that 
is for example used in the programming language Common Lisp, substitution is not capture avoiding for 
continuation variables. We do not see problems to use such a mechanism instead. 

The further reaching goal of this paper is to define a A -calculus with data types and control operators 
that allows program extraction from proofs constructed using classical reasoning. In such a calculus one 
can write specifications of programs, which can be proven using (a restricted form of) classical logic. 
Program extraction would then allow to extract a program from such a proof where the classical reasoning 
steps are extracted to control operators. Herbelin's IQC MP -calculus [Her 10") could be interesting as it 
includes first-order constructs. 

This goal is particularly useful for obtaining provably correct algorithms where the use of control 
operators would really pay off (for example if a lot of backtracking is performed). See [CGUOO) for 
applications to classical search algorithms. The work of Makarov |Mak06 ] may also be useful here, as it 
gives ways to optimize program extraction to make it feasible for practical programming. 
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